Thai Lottery Widget Plugin: Stored XSS Vulnerability Puts WordPress Sites at Risk (CVE-2025-13678)

Overview

A Stored Cross-Site Scripting (XSS) vulnerability has been identified in the Thai Lottery Widget plugin for WordPress, tracked as CVE-2025-13678. This vulnerability affects versions 2.5 and earlier of the plugin. It allows authenticated attackers with Contributor-level access or higher to inject malicious JavaScript code into WordPress pages. This code will then execute whenever a user visits the affected page, potentially leading to account compromise, data theft, or website defacement.

Technical Details

The vulnerability stems from insufficient input sanitization and output escaping of the width and height attributes used within the thailottery shortcode. The plugin fails to properly validate these attributes before rendering them in the HTML output. As a result, an attacker can inject arbitrary JavaScript code within these attributes.

Here’s a snippet of potentially vulnerable code (referencing lines in the plugin):

        
        // Simplified example demonstrating the vulnerability (based on thailottery.php)
        function thailottery_shortcode( $atts ) {
            $atts = shortcode_atts( array(
                'width' => '200',
                'height' => '100',
            ), $atts );

            $width = $atts['width']; // No proper sanitization here
            $height = $atts['height']; // No proper sanitization here

            $output = '<iframe src="example.com" width="' . $width . '" height="' . $height . '"></iframe>';
            return $output;
        }
        
        

An attacker could use a shortcode like this to inject malicious code:

            
            [thailottery width="100' onload='alert(\"XSS\")'" height="100"]
            
        

CVSS Analysis

The Common Vulnerability Scoring System (CVSS) score for CVE-2025-13678 is 6.4 (Medium). This score reflects the following factors:

• Attack Vector (AV): Network (N)
• Attack Complexity (AC): Low (L)
• Privileges Required (PR): Low (L) – Contributor access is sufficient.
• User Interaction (UI): Required (R) – A user needs to visit the page with the injected script.
• Scope (S): Changed (C) – The attacker can execute code in the context of other users.
• Confidentiality Impact (C): Low (L)
• Integrity Impact (I): Low (L)
• Availability Impact (A): Low (L)

Possible Impact

Successful exploitation of this vulnerability can have several consequences:

• Account Takeover: An attacker could potentially steal the cookies of an administrator or editor and gain control of their account.
• Website Defacement: Malicious scripts can alter the content of affected pages, defacing the website.
• Redirection to Malicious Sites: Users visiting compromised pages could be redirected to phishing sites or other malicious websites.
• Data Theft: The injected script could be used to steal sensitive data from the user’s browser, such as cookies or session tokens.

Mitigation/Patch Steps

The best course of action is to take one of the following steps:

1. Update the Plugin: If a patched version of the Thai Lottery Widget plugin is available, update to the latest version immediately. Check the WordPress plugin repository for updates.
2. Remove the Plugin: If no update is available, and you are using the plugin, consider removing it from your WordPress installation to eliminate the vulnerability. Evaluate if alternative plugins offer similar functionality with better security practices.
3. Implement Web Application Firewall (WAF) Rules: Consider implementing WAF rules to filter out malicious requests targeting the thailottery shortcode. This is a temporary solution and should not be considered a replacement for updating or removing the vulnerable plugin.

References

• CVE-2025-13678
• Thai Lottery Widget Plugin Source Code (v2.5) – thailottery.php
• Thai Lottery Widget Plugin Source Code (Trunk) – thailottery.php
• Wordfence Threat Intelligence Report